[HOW-TO] Anti-DDoS: APF, BFD, DDoS Deflate, Rootkit Hunter.

Improve security of your Artica server, all discuss about security news and how to fight against hackers/Spammers

[HOW-TO] Anti-DDoS: APF, BFD, DDoS Deflate, Rootkit Hunter.

New postby chris_c_ » Sun Sep 04, 2011 10:36 am

obsolete version: http://www.topwebhosts.org/tools/apf-bf ... ootkit.php

UPDATED VERSION which covers the latest version
DoS Protection via APF, BFD, DDOS [ with the new RAB ] and RootKit

Being a web host, your servers are constantly being attacked by hackers by denial-of-service (DoS) and other brute force attacks. There is no foolproof method to stop 100% of all attacks, but there are ways to protect your servers by applying firewall rules, and detecting and banning attacking IPs.

This article makes use of the APF, BFD, DDoS Deflate and RootKit to detect and protect your server from denial-of-service type attacks.
http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/bfd.php
http://deflate.medialayer.com/
http://www.rootkit.nl/projects/rootkit_hunter.html

To apply those utilities, please follow the instructions below:

To begin installation, login to your server as a root user.

Code: Select all
% ssh -l root [hostname]
root@[hostname]'s password: [password]
Last login: [Date] from [hostname]



APF -- Advanced Policy-based Firewall

http://packages.debian.org/squeeze/apf-firewall

http://www.rfxnetworks.com/apf.php

Summary of features:

* detailed and well commented configuration file
* granular inbound and outbound network filtering
* user id based outbound network filtering
* application based network filtering
* trust based rule files with an optional advanced syntax
* global trust system where rules can be downloaded from a central management server
* reactive address blocking (RAB), next generation in-line intrusion prevention
* debug mode provided for testing new features and configuration setups
* fast load feature that allows for 1000+ rules to load in under 1 second
* inbound and outbound network interfaces can be independently configured
* global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit)
* configurable policies for each ip on the system with convenience variables to import settings
* packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
* prerouting and postrouting rules for optimal network performance
* dshield.org block list support to ban networks exhibiting suspicious activity
* spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks
* any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled)
* additional firewalled interfaces can have there own unique firewall policies applied
* intelligent route verification to prevent embarrassing configuration errors
* advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
* filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
* configurable type of service options to dictate the priority of different types of network traffic
* intelligent default settings to meet every day server setups
* dynamic configuration of your servers local DNS revolvers into the firewall
* optional filtering of common p2p applications
* optional filtering of private & reserved IP address space


A) on debian ( and related distros like ubuntu )
Code: Select all
apt-get install apf-firewall


OR..... if your distros doesn't have the package at the moment: get the latest source from the rfxnetworks, and install the software.

Code: Select all
# cd /usr/src
# mkdir utils
# cd utils
# wget http://rfxnetworks.com/downloads/apf-current.tar.gz
# tar xfz apf-current.tar.gz
# cd apf-*
# ./install.sh


B) Read the README.apf and README.antidos for configuration options. Edit the /etc/apf/conf.apf and modify the following lines to your need.

Code: Select all
# nano /etc/apf/conf.apf

DEVEL_MODE="0"
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,3306"
IG_UDP_CPORTS="53,111"
USE_AD="1"


By default, APF is setup to run in development mode which flushes firewall rules every 5 minutes. Running in development mode defeats the purpose of running APF, as it will automatically flush every 5 minutes. Configure the Ingress (inbound) TCP and UDP ports that need to be opened.

Finally, enable AntiDos by setting USE_AD="1".

Obsolete: Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF firewall.

NOTE: new version of APF has replaced antiDOS with RAB "reactive address blocking (RAB), next generation in-line intrusion prevention"

Code: Select all
# nano /etc/apf/ad/conf.antidos
# apf --start


Set to startup on boot:
Code: Select all
nano /etc/default/apf-firewall
RUN="yes"


BFD -- Brute Force Detection
http://www.rfxnetworks.com/bfd.php

BFD is a shell script which parses security logs and detects authentication failures. It is a brute force implementation without much complexity, and it works in conjunction with a APF (Advanced Policy-based Firewall).

Code: Select all
## Get the latest source and untar.
# cd /usr/src/utils
# wget http://rfxnetworks.com/downloads/bfd-current.tar.gz
# tar xfz bfd-current.tar.gz
# cd bfd-*
# ./install.sh


Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd.
Find ALERT="0" and replace it with ALERT="1"
Find EMAIL_USR="root" and replace it with EMAIL_USR="username@yourdomain.com"

Edit /usr/local/bfd/ignore.hosts file, and add your own trusted IPs. BFD uses APF and hence it overrides allow_hosts.rules, so it is important that you add trusted IP addresses to prevent yourself from being locked out.

Code: Select all
## Start the program.
#  /usr/local/sbin/bfd -s



DDoS Deflate
http://deflate.medialayer.com/

Code: Select all
## Get the latest source
# cd /usr/src/utils
# mkdir ddos
# cd ddos
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh


Edit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.

Code: Select all
# /usr/local/ddos/ddos.sh -c



RootKit Hunter-- Spyware and Junkware detection and removal tool

Go to Rootkit Hunter homepage, and download the latest release.
http://www.rootkit.nl/projects/rootkit_hunter.html

Code: Select all
## Get the latest source and untar
# cd /usr/src/utils
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
# tar xfz rkhunter-*.gz
# cd rkhunter
# ./installer.sh
## run rkhunter
# rkhunter -c


Setup automatic protection on System Reboot

Code: Select all
## Edit /etc/rc.d/rc.local
##      (or similar file depending on Linux version)
## Add the following lines at the bottom of the file

/usr/local/sbin/apf --start
/usr/local/ddos/ddos.sh -c


Note:

The SYN Floods and ICMP DDoS may also be prevented by utilizing the Linux traffic control utility (tc).

To view setup instructions, please see relevant sections of Linux Advanced Routing & Traffic Control HOWTO. ( http://www.topwebhosts.org/tools/lartc-ddos.php ) See ******** below.

Notes from the users:

Some of the users experienced following errors while starting APF.

Code: Select all
bash# apf --start

Unable to load iptables module (ip_tables), aborting.


According to Burst and Ryan of r-fx.org, change this variable in /etc/apf/conf.apf to correct the problem. :
Code: Select all
SET_MONOKERN="1"






**********
DDoS protection with bandwidth shaping

The two methods described below are extracted from the lartc howto. It is included here to provide a complete reference. For latest updates, please view source document.
15.2. Protecting your host from SYN floods

From Alexey's iproute documentation, adapted to netfilter and with more plausible paths. If you use this, take care to adjust the numbers to reasonable values for your system.

If you want to protect an entire network, skip this script, which is best suited for a single host.

It appears that you need the very latest version of the iproute2 tools to get this to work with 2.4.0.
Code: Select all
#! /bin/sh -x
#
# sample script on using the ingress capabilities
# this script shows how one can rate limit incoming SYNs
# Useful for TCP-SYN attack protection. You can use
# IPchains to have more powerful additions to the SYN (eg
# in addition the subnet)
#
#path to various utilities;
#change to reflect yours.
#
TC=/sbin/tc
IP=/sbin/ip
IPTABLES=/sbin/iptables
INDEV=eth2
#
# tag all incoming SYN packets through $INDEV as mark value 1
############################################################
$iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
  -j MARK --set-mark 1
############################################################
#
# install the ingress qdisc on the ingress interface
############################################################
$TC qdisc add dev $INDEV handle ffff: ingress
############################################################

#
#
# SYN packets are 40 bytes (320 bits) so three SYNs equals
# 960 bits (approximately 1kbit); so we rate limit below
# the incoming SYNs to 3/sec (not very useful really; but
#serves to show the point - JHS
############################################################
$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
police rate 1kbit burst 40 mtu 9k drop flowid :1
############################################################


#
echo "---- qdisc parameters Ingress  ----------"
$TC qdisc ls dev $INDEV
echo "---- Class parameters Ingress  ----------"
$TC class ls dev $INDEV
echo "---- filter parameters Ingress ----------"
$TC filter ls dev $INDEV parent ffff:

#deleting the ingress qdisc
#$TC qdisc del $INDEV ingress



15.3. Rate limit ICMP to prevent dDoS

Recently, distributed denial of service attacks have become a major nuisance on the Internet. By properly filtering and rate limiting your network, you can both prevent becoming a casualty or the cause of these attacks.

You should filter your networks so that you do not allow non-local IP source addressed packets to leave your network. This stops people from anonymously sending junk to the Internet.

Rate limiting goes much as shown earlier. To refresh your memory, our ASCIIgram again:

Code: Select all
[The Internet] ------ [Linux router] --- [Office+ISP]
                                      eth1          eth0

We first set up the prerequisite parts:

Code: Select all
# tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
# tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \
  10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000


If you have 100Mbit, or more, interfaces, adjust these numbers. Now you need to determine how much ICMP traffic you want to allow. You can perform measurements with tcpdump, by having it write to a file for a while, and seeing how much ICMP passes your network. Do not forget to raise the snapshot length!

If measurement is impractical, you might want to choose 5% of your available bandwidth. Let's set up our class:

Code: Select all
# tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 10Mbit rate \
  100Kbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 250 \
  bounded


This limits at 100Kbit. Now we need a filter to assign ICMP traffic to this class:

Code: Select all
# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
  protocol 1 0xFF flowid 10:100
chris_c_
 
Posts: 794
Joined: Wed Oct 20, 2010 7:15 pm
Artica servers number: 1
Linux System: Debian
Technical skills: A Geek

Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron